Ask Your Question

Make tshark undissect the data layer

asked 2022-11-27 12:51:51 +0000

liron gravatar image

Hi, Is there any option to run tshark without dissecting the data layer? I want to get the bytes or hex of the data layer in my json output


edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2022-11-28 18:05:09 +0000

André gravatar image

Use the option --disable-protocol to stop dissecting that protocol and treat it as data instead.

edit flag offensive delete link more


Thank you for your answer! Is there any way to disable all the data layer protocols at once? Or I must disable only specific ptorocols?

liron gravatar imageliron ( 2022-11-28 22:28:54 +0000 )edit

That depends on what you mean by "data layer protocol":

  • For 'data link layer protocol' it is probably easier to list the protocols like --disable-protocol eth
  • For protocols on top of TCP you can use the 'decode as' option: -d tcp.port==0-65535,data
André gravatar imageAndré ( 2022-11-29 18:55:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2022-11-27 12:50:55 +0000

Seen: 112 times

Last updated: Nov 28 '22